From 580d540ea907ba15f64379c5bb69ecf1a49a875f Mon Sep 17 00:00:00 2001
From: Thomas Lamprecht <t.lamprecht@proxmox.com>
Date: Sat, 2 Jul 2022 07:56:12 +0200
Subject: [PATCH] proxy request: assert that API url starts with a slash

We implicitly assume that to be the case when assembling the target
URL, so assert it explicitly as it's user controlled input.

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>
Originally-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
---
 src/PVE/APIServer/AnyEvent.pm | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/src/PVE/APIServer/AnyEvent.pm b/src/PVE/APIServer/AnyEvent.pm
index 24b2002..8533c2f 100644
--- a/src/PVE/APIServer/AnyEvent.pm
+++ b/src/PVE/APIServer/AnyEvent.pm
@@ -702,6 +702,14 @@ sub proxy_request {
     eval {
 	my $target;
 	my $keep_alive = 1;
+
+	# stringify URI object and verify it starts with a slash
+	$uri = "$uri";
+	if ($uri !~ m@^/@) {
+	    $self->error($reqstate, 400, "invalid proxy uri");
+	    return;
+	}
+
 	if ($host eq 'localhost') {
 	    $target = "http://$host:85$uri";
 	    # keep alive for localhost is not worth (connection setup is about 0.2ms)
-- 
2.39.2